Do I need to disclose Resend in my privacy policy?

Yes. Resend processes personal data (email addresses and content) on your behalf, making it a third-party data processor. You must disclose Resend by name in your privacy policy and explain that you use it to send emails. This transparency is required under GDPR, CCPA, and other privacy regulations.

What specific data does Resend collect?

Resend collects recipient email addresses, email subject lines and content, sender domain and identity information, and delivery and engagement metrics (opens, clicks, bounces). Email content may include sensitive personal data, so you should avoid sending PII through Resend unless necessary and appropriately disclosed to users.

Does Resend require a cookie consent banner?

Resend itself does not set cookies on user devices. However, Resend's tracking pixels may record engagement data (opens and clicks) in ways that could trigger privacy requirements depending on your jurisdiction. Review your email content and Resend's tracking features to determine if consent is needed.

Who is the data processor and where is my data stored?

Resend Inc., based in the United States, is the data processor. Data is transferred to and processed in the US. You should review Resend's Data Processing Agreement (DPA) and privacy policy at https://resend.com/legal/privacy-policy to understand data residency, retention, and your obligations under GDPR or other regulations requiring adequacy assessments.

Privacy policy clauses for Resend

Resend is a developer-friendly email API that websites use to send, deliver, and track transactional and marketing emails. It processes recipient addresses, email content, and engagement metrics to enable reliable email delivery at scale.

Scan my site free →Copy sample clause ↓

Free scan · No signup · Results in 60 seconds

What data Resend collects

Your privacy policy must disclose each of the following data types when you use Resend.

Recipient email addresses

Email content and subject lines

Delivery and engagement tracking

Sender domain and identity

When does Resend trigger privacy obligations?

Resend is triggered the moment you integrate its API into your application or website to send transactional or marketing emails. At that point, recipient email addresses (PII under GDPR Article 4(1) and CCPA Section 1798.100) flow to Resend's US servers, along with email content and engagement metadata.

GDPR applies immediately if:

–Any recipient is in the EU/EEA, *or*
–You offer services to EU residents (territorial scope under GDPR Article 3(2))

Privacy policy clauses for Resend

What data Resend collects

When does Resend trigger privacy obligations?

Where data goes

Common compliance pitfalls

Sending Marketing Emails Without Explicit Consent

Missing or Inadequate Data Processing Agreement (DPA)

Failing to Disclose Resend's US Data Location

Legal note

Sample privacy policy clause

What regulators look for

Frequently asked questions

Do I need to disclose Resend in my privacy policy?

What specific data does Resend collect?

Does Resend require a cookie consent banner?

Who is the data processor and where is my data stored?

Don't ship without Bandit.